Thursday, September 15, 2011

90,000 hospitals and other healthcare providers are taking part in the Medicare and Medicaid electronic health records (EHR) incentive programs with 13,000 joining in August alone.

"When we launched in April, we had a trickle, and that trickle is turning into a faucet opening up a little more. If this trend holds, we’ll have the faucet fully going,." - Robert Anthony, CMS’ Office of e-Health Standards and Services.

CMS issued a total of $264 million in payments in August, twice as much as paid out in July, and $652 million for the year to date.

Download a white paper on EHR privacy auditing service. Proactively discover violations of patient privacy, even by nurses, doctors, and other authorized users - with no hardware and no on-site software.

Download a white paper on HIPAA Privacy Rule breach detection as a service. Learn about a service that proactively identifies impermissible uses and disclosures of PHI, even by authorized users - with no hardware and no on-site software.

Thursday, September 8, 2011

A nurse was fired for 5,800 violations of patient data privacy dating as far back as 2004. The nurse's snooping was discovered in 2011 by a privacy audit at the hospital where she worked in North Bay, Ontario.

The nurse looked at visit histories, prescribed drugs, lab results, and other information a nurse typically uses to perform her job. But the nurse was not part of the "circle of care" for these patients, and therefore had no legitimate reason to access the medical records.

Once the massive privacy breach was discovered the nurse was interviewed. She is said to have admitted she had no legitimate reason to be looking at the records. Afterwards she was dismissed.

Further investigation lead the hospital to believe that the information inappropriately accessed by this employee was not released to other staff or beyond the hospital and that patient care was never negatively affected.

"It is the health centre’s goal to ensure that necessary health information is readily available to appropriate caregivers to ensure patient safety and quality of care, but that it is not disclosed beyond the circle of care‐givers.." - Pat Stephens, hospital spokesperson

As required by the Personal Health Information Protection Act, the hospital has contacted each affected patient to inform them of the breach of their personal health information as well as reporting the inciden to the Information and Privacy Commission of Ontario. In addition the hospital plans to implement more rigorous audits to detect attempts to inappropriately access health care information.

While that situatoin is, hopefully, an extreme example, it raises the question of how frequently patient data privacy audits should be performed. Not how often your current resources allow you to perform audits, but if you could magically receive an audit of suspicious access to patient data across all patients what would be your prefered frequency?

Your thoughts? Feel free to post your comments anonymously.

Download a white paper on patient privacy audits as an automated service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by nurses, doctors, and other authorized users - with no hardware and no on-site software.